3.1.5.2.1 Certificate Mapping
The KDC SHOULD look up the account using the cname. If the account is not found and the cname name-type is NT-X500-PRINCIPAL, the KDC locates the account in the account database using the explicit mapping fields. Implementations of PKCA KDCs which use Active Directory for the account database when the userAccountControl attribute ([MS-ADA3] section 2.342) bit WT or ST ([MS-ADTS] section 2.2.16) is:
TRUE: validate certificate mapping using the SAN DNSName field.<21>
Both FALSE: validate certificate mapping using the SAN UPNName field first, then try explicit mapping.
If the account is not found, the KDC returns KDC_ERR_C_PRINCIPAL_UNKNOWN.